Duo dont work on windows server 2012


#1

Hello, we are testing duo security, and we run into a problem in a windows server 2012 R2, where the DUO second authentication factor does not appear, we have tested it in virtual windows 7 without problems, everything appears, we do push authentication and all OK, BUT in windows server 2012 we do not know what could be happening, we turn off antivirus and released the Internet connection by proxy to all sites, we even lowered the local firewall, and nothing changes, DUO authentication doesnt appear when doing remote desktop connection, we enable the log and see the following:

04/13/18 14:49:04 [2288](2484) Making request: POST pi-xxxxxxxx.duosecurity.com:443/auth/v2/preauth?ipaddr=192.168.100.6&username=xxxxxxxx%5Cusername
04/13/18 14:49:04 [2288](2484) CDuoApiRequestContex ::SubmitRequest(000000B63543F840)
04/13/18 14:49:04 [2288](2484) CDuoApiRequestContex ::Reset
04/13/18 14:49:04 [2288](2484) WinHttpStatusCallback(000000B63543F840, WINHTTP_CALLBACK_STATUS_RESOLVING_NAME, 000000B6353E5CC0, 29)
04/13/18 14:49:04 [2288](2484) Waiting for pre-authorization to complete...
04/13/18 14:49:04 [2288](620) WinHttpStatusCallback(000000B63543F840, WINHTTP_CALLBACK_STATUS_NAME_RESOLVED, 000000B63329ED20, 13)
04/13/18 14:49:04 [2288](2484) CDuoApiRequestContex ::Join
04/13/18 14:49:04 [2288](620) WinHttpStatusCallback(000000B63543F840, WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER, 000000B63329EB90, 13)
04/13/18 14:49:05 [2288](620) WinHttpStatusCallback(000000B63543F840, WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, 000000B6353DAD98, 16)
04/13/18 14:49:05 [2288](620) Caught WINHTTP_CALLBACK_STATUS_REQUEST_ERROR notification from WinHttpSendRequest: 12029
04/13/18 14:49:05 [2288](620) ERROR: Failure during WinHttp call (WinHttpSendRequest): No se pudo establecer conexi�n con el servidor
 [12029]

Could anyone help us? Thanks very much in advance!


#2

The log shows that the Duo software is trying to connect to pi-....duosecurity.com:443/auth/v2/preauth

That should be api-... (missing the leading “a” in the API host name).

You can use the registry editor to fix the API hostname value; find it under HKLM\SOFTWARE\Duo Security\DuoCredProv.

(Also, in the future you should avoid sharing anything to this public forum that reveals your unique Duo customer information… we’ve edited your post to hide your specific account info).


#3

Thanks for the reply, but that url I changed it to post it here, and is fine it begins with api-… thats not the problem, thanks!


#4

Ah, OK.

The WinHTTP 12029 error seen in the log shows that the Duo software isn’t able to contact the Duo service. If the API host name is indeed correct, then it looks like you have another connectivity issue.

This knowledge base article has some steps you can take to troubleshoot HTTPS connectivity from that Windows 2012 system to Duo’s service.


#5

Thanks Kristina, I tested the connection in the browser and is fine, I receive the json response code OK, the problem is that the duo software does not make the connection to the internet, this we are checking through the proxy that has configured in the system, from the proxy we are analyzing the traffic generated by this server, and we do not see any traffic at the time of login by remote desktop, it’s like that duo will not activate or send traffic, it’s not blocked by any network issue, and I do not know how to do troubleshooting of it, could you help me? thanks in advance!


#6

Duo for Windows Logon doesn’t use browser-only proxy settings (like anything you have configured in IE). It will use system-wide proxy settings (like set with netsh) or you can point the Duo application to your proxy via a registry entry.

You may find these articles useful:

https://duo.com/docs/rdp-faq#does-duo-authentication-for-windows-logon-support-web-proxying?
https://duo.com/docs/rdp-faq#is-it-possible-to-use-a-web-proxy-only-for-duo-authentication-for-windows-logon-traffic?